In December, 2012, we intercepted a professional-looking email that was impersonating Facebook Inc. in an attempt to trick its users into thinking that they’ve received an “Account Cancellation Request“. In reality, once users clicked on the links, their hosts were automatically exploited through outdated and already patched client-side vulnerabilities, which dropped malware on the affected PCs.

Over the past 24 hours, cybercriminals have resumed spamvertising tens of thousands of legitimate-looking Facebook themed emails, once again using the same social engineering theme.

Once executed, the sample sets the following Registry Keys to 1:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap\ProxyBypassHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap\IntranetNameHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap\UNCAsIntranetHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{a20cd692-8e41-11e1-9999-806d6172696f}\BaseClassHKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache(null)C:WINDOWSsystem32ipconfig.exe

It also (successfully) creates the following process:C:d97f042474a0b1814fd681dca3ec2c5edf7054acff979f585a044478bc7c5cbd

If you catch a Facebook impersonating email in the wild, please forward it to phish@fb.com to notify Facebook of the attack. Webroot SecureAnywhere users are proactively protected from this threat.